[f-nsp] [4G SSL] ACLs flow-based Vs rule-based
Youssef Ghorbal
Youssef.Ghorbal at netplus.fr
Fri May 1 15:49:43 EDT 2009
the 4G SSL is running ver 11.0.00aTI4
Youssef Ghorbal
------------------------------------
On May 1, 2009, at 3:59 PM, Ryan DeBerry wrote:
> What version of code are you running?
>
> On Fri, May 1, 2009 at 12:44 PM, Youssef Ghorbal <Youssef.Ghorbal at netplus.fr
> > wrote:
> Hello,
>
> We are migration a ServerIronXL to a 4G SSL box. Both act in
> L3 mode (they are "routers" and not "switchs")
> In the ServerIronXL we used to have an ACL on the uplink
> interface of the box. Something like :
>
> interface ethernet 1
> ip access-group ALL-IN in
>
> The ACL is applied on the ethernet interface and not on VE.
> In the 4G SSL box, the ip access-group command does not exist
> in the "interface ethernet 1" context. But does in the VE context
> (ip interace ve 1)
> It seems that ACLs apply per VLAN bases now.
>
> Also, in the documentation, a disctinction is made between
> flow-based ACLs and rule-based ACLs but I can't see the reel
> difference between the two. In which case is it usefull to do flow-
> based ACLs and in which it doesn't.
>
> My problem is this :
> In the past we used to have a "big" ACL applied on the uplink
> port. The big ACL contains rules regarding all subnets (VEs)
> configured on the ServerIronXL
> On the 4G SSL, ACLs are applied on VE basis. And I have to
> choose to use rule-based or flow-based ACLs.
>
> Should I keep the big ACL and apply it to all VE interfaces ?
> Should I make an ACL per VE ? (devide the big ACL in little
> ones)
> Should I activate flow-based ACLs or rule-based ones ? It
> would be nice if someone can explain me the exact difference between
> them.
>
> Regards,
> Youssef Ghorbal
>
>
>
>
>
> _______________________________________________
> foundry-nsp mailing list
> foundry-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/foundry-nsp
>
> <ATT00001.txt>
More information about the foundry-nsp
mailing list